bradkovach
commented
1 year ago @psignoret hope you are well! please have a look at my PR, which includes a host of new features and security improvements.
Open bradkovach opened 1 year ago
bradkovach
commented
1 year ago @psignoret hope you are well! please have a look at my PR, which includes a host of new features and security improvements.
bradkovach
commented
1 year ago Found an issue where AADSSO_RESET_SETTINGS doesn't work unless you are logged in!
bradkovach
commented
1 year ago @psignoret any feedback here? Would love to get this merged, and then start collaborating on wordpress plugin directory support.
@psignoret I have done a lot of work to bring the plugin into a modern devops/containerizable state so that it can be deployed widely and rapidly via unattended installs.
Please enjoy the overview of changes, and let me know if you see anything that needs addressed urgently.
I bumped the version to 1.0.0 but this may be too eager for you. If it is, 0.8.0 would be the next breaking release.
Static configuration via defined constants now supported
This was brought on by a need for some better automation for some of my WP deployments. Specifically, we wanted the automated ability to configure WordPress/Azure AD secrets with Azure KeyVault. The plugin can now be installed and configured without logging in to WordPress. All configuration values can be provided by
AADSSO_*constants. The options page displays the constant values in disabled controls, and tells the user that the setting is controlled by a constant.Use as a multi-use plugin now detected and supported.
The plugin now supports and detects when it is being used in must-use mode. By using the
wp-content/mu-plugins/installation, no initial login is needed in order to activate and configure the plugin. Plugin activation AND configuration can take place without logging in. A loader script is required. This is provided in$/load-aad-sso-wordpress.phpand can be set up with a copy or a symlink.Escape-Hatch
A new constant,
AADSSO_RESET_SETTINGS, is added to allow for a no-login reset of the database settings. Should you get locked out of your site (as I have done a few times), this should make it easier to regain access.WordPress admin actions are all now nonced to stop request forgery.
To ensure that actions are not being taken without a user's permission, all volatile admin actions are now generated as nonced actions. This should protect against a lot of potential misuse.
Anti-Forgery Token now assembled with a configurable number of nonces
Instead of using a random GUID that has to be stored in PHP $_SESSION, the plugin now utilizes a configurable number of nonces (
AADSSO_NONCE_PASSES) to generate and validate a login attempt. The default number of nonces is 3, but more or less can be added. The nonces are broken apart and verified cryptographically. Since no persistence beyond the WP session ID is needed to validate the nonces, any server in a properly-configured load-balanced scenario should be able to validate the nonces, since the session ID comes from WordPress's internals, not PHP's. If session is kept in redis/etc, these will work without needing session affinity tricks.Many uses of
$_SESSIONremain, but these are less critical.AADSSO_Settingsclass now uses a magic getterProperties are dynamically resolved in the following order:
nullAdded a one-hour cache for the
jwksresponseSaw a TODO for this, so GitHub Copilot took care of it.
Lots of formatting, phpdoc and WordPress style changes
Used PHPCodeSniffer to lint and apply a lot of WordPress conventions where they were missing. Class files have been renamed, as have classes, to align with WordPress style convention of
Upper_Snake_Caseclass names andclass-lower-kebab-case.phpfile names.JSON Settings Migration utility removed entirely.
JSON settings support and migration utility has been removed entirely. The functionality wasn't using WP_Filesystem, and is begging for a security vulnerability, so it is removed.
Miscellaneous
//translator:comments addedconfirm(...)prompt to the reset settings button.